1 October 2018

Linux Buffer Overflow Example

I
uploaded a video and I wrote about Windows
Buffer Overflow Example two weeks
ago. I learnt a lot with this example but
I wanted to study about Linux Buffer Overflow as well. Therefore,
I’ve been testing with the
crossfire-server
1.9.0 - 'SetUp()' Remote Buffer Overflowthese days. I
installed a Kali Linux 32 bits with the crossfire server, which
is an online computer game, and thanks to the edb debugger and python
scripts, I’ve been able
to learn how to exploit a Linux Buffer Overflow vulnerability. You
can check in the next video.

Firstly,
I’ve started
the virtual machine with the NX protection disabled (noexec=off)
and I’ve executed the crossfire server, which listens in the 13327
TCP port. I’ve
also tested a simple python script to send 4379 ‘A’s to the
vulnerable service. We can see how the program
crashes and ESP register
contains many ‘A’s or ‘41’ in hex. However, we have to find
the specific EIP memory location thus I’ve created a unique string
which is sent to the vulnerable server through the malicious script.
After I’ve controlled the EIP register,
I have to know where
I’m going to save the shellcode. Following
the EIP register, only 7 bytes are left thus shellcode can’t be
saved there. As a
result, I’ve pointed to the EAX register where the shellcode is
going to be located.
The next challenge is to locate a JMP ESP
instruction into the memoryto
insert it into the EIP register. Finally, I’ve created a payload
with the msfvenom
tool to add it into the script, which give
us a Linux remote
reverse shell.

Regards my
friends. This is another amazing demo to know how Buffer Overflow works.
I recommend you do it by yourself.